Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2020-13937 Vulnerability in maven package org.apache.kylin:kylin

CVE-2021-28655 Vulnerability in maven package org.apache.zeppelin:zeppelin

CVE-2023-6134 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2019-10330 Vulnerability in maven package org.jenkins-ci.plugins:gitea

CVE-2022-46684 Vulnerability in maven package com.checkmarx.jenkins:checkmarx

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking